Home > Developer > PHP

Thoughts on PHP File Inclusion Vulnerability

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

I just started my research on PHP. I have some personal opinions on the most common PHP vulnerability files:

 

1. involved functions include, require, include_once, and require_once

 

Their usage is not described in detail here, of course, the most likely to be used is include. This will improve the execution method of the include function. After the include function contains a file, it will continue to be executed if an error occurs, and require will stop execution after an error occurs. So that the physical path is leaked. You may think that it is no big deal to disclose the physical path, but such information can sometimes cause fatal security problems. Okay. Continue to include the vulnerability. If you want to concentrate the vulnerability into the simplest sentence, it is best to do the following:

$ A = $ _ Get ["ID"];

Include ("$ ");

The hacker only needs to construct a special URL address and keep $ A behind it.CodeTo obtain the webshell of a website.

 

2. Essence

 

In essence, the filtering of include functions is not strict. In fact, this is the simplest and most common vulnerability in PHP. Because it is simple, it is also the most prone to problems, or even exceeds the database injection. The essence is that PHP's include function is really good. Just include it and save dozens of lines of code. Today, when building a high-performance WEB Website, the popularity of the include function naturally increases.

 

3. Solution

 

Perform unified processing on the included functions. Especially in large-scale project development, functions that contain functions are inevitably called, so we need to have a unified method to process them (that is, to strictly filter the functions that contain them ). 1. Use the judgment function to complete the error information so that the viewer cannot obtain the detailed information of the contained file (Note: local and remote inclusion are available here, you can search for the solution to remote file inclusion by Google.) 2. Add an extension to the file that contains the file, that is, include ("$ "". TXT "). In this case, a TXT is added to the end of variable.

 

Note: PHP language learning has just begun. please correct me if you have any mistakes.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More